Looking at expr_evaluate_concat(), 'off' might be zero and the error
checks not triggering (by having dtype != NULL and i->dtype->size > 0).
Decrementing it will then lead to casting -1 to unsigned during the call
to concat_subtype_lookup() will lead to bit-shifting in
concat_subtype_id() by a value bigger than the number of bits in 'type'
(which is 32bit).
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
This patch is just an ugly sanitization hack and should probably be
substituted by an additional error check in expr_evaluate_concat()
giving an explanation of what went wrong.
---
src/evaluate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 523eedabe84ac..c8568690f6338 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -950,7 +950,7 @@ static int expr_evaluate_concat(struct eval_ctx *ctx,
struct expr **expr)
"expressions",
i->dtype->name);
- tmp = concat_subtype_lookup(type, --off);
+ tmp = concat_subtype_lookup(type, off > 0 ? --off : 0);
expr_set_context(&ctx->ectx, tmp, tmp->size);
if (list_member_evaluate(ctx, &i) < 0)
--
2.8.2
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
